Skip to main content
Skip table of contents

Client ToolBox

The EJBCA Client Toolbox enables a set of tools built as a stand-alone package, which can be put on any machine and run independently of EJBCA.

The Client Toolbox provides commands to function as a Web Service RA, to manage keys on PKCS#11 HSM, to perform EJBCA health checks, to enroll CVC EAC certificates, and to test CMP and SCEP protocols.

The Client Toolbox also includes a Web Service CLI tool to be used as a command line interface for the Web Service Interface, see Using the Web Services CLI in Web Service Interface.

Available commands

  1. The EJBCA clientToolBox has been installed on your CLIENT instance. Switch to the CLIENT VM instance, to view a list of the available commands.

Reminder you can visit the Accessing Your Environment page for details on how to connect to your CLIENT VM instance. See the section entitled "Connecting to EJBCA using AdminWeb, and RAWeb via Browser".

  1. Open up a TERMINAL session and issue the following command to display clientToolBox available commands.

CODE 
  cd ~/clientToolBox
  ./ejbcaClientToolBox.sh

The following lists available clientToolBox commands

NONE 
You must specify which tool to use as first argument.
These tools are available:
 - healthCheck
 - healthCheckTest
 - PKCS11HSMKeyTool
 - OCSP
 - EjbcaWsRaCli
 - CvcWsRaCli
 - CMPTest
 - CMPKeyUpdateStressTest
 - SCEPTest
 - OCSPActivate
 - DBManager
 - PasswordGenerator
 - CaIdGenerator
 - jdbc
 - UrlGenerator
 - RESTTest
 - SerObjectAnalyzer
 - SerObjectMerger


EJBCA also contains the p11ng toolset, which can be used for various operations against an HSM. Switch to the CA instance, to view a list of the available commands.

CODE 
docker exec -it ejbca-CA /opt/keyfactor/bin/p11ng-cli.sh
Commands available for p11ng.cli tool
CODE 

The following commands are available:

    deleteobject                Deletes objects.
    generatekey                 Generates symmetric key on the HSM
    generatekeypair             Generates a key pair
    listkeypairs                List key pairs that can be used by P11NG, and print details for them.
    listobjects                 List objects available on the slot.
    listslots                   Lists slots available on the HSM
    modifyobjectattribute       Can set the following Boolean CKA attributes of a private or public key object, object handles can be listed using the listobjects command.

Note that different HSMs may not allow setting all these values, so you may get errors depending in the HSM used. CKA.ID, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE

    onetimeperformancetest      Runs a one time performance test generating an RSA key and signing with it.
    showinfo                    Shows information about HSM.
    showobjectattributes        Shows the following attributes of an object, object IDs can be listed using the listobjects command: CKA.ID, CKA.TOKEN, CKA.SENSITIVE, CKA.PRIVATE, CKA.EXTRACTABLE, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE, CKA.KEY_TYPE, CKA.MODULUS_BITS,CKA.PUBL IC_EXPONENT, CKA.MODULUS, CKA.EC_PARAMS

    showslotinfo                Prints information about the slot.
    showtokeninfo               Prints information about token.
    signperformancetest         Runs a signing performance test. Without the --verify flag, the test only calls 'initSign, update, sign' using the private key, while adding - verify also reads the public key and verifies (in software) the created signature.


Type a command and "--help" for more information.

List current crypto keys in the EXTRA_SLOT_1 slot using the CLI tool. Enter the PIN foo123 when prompted for each of these commands.

CODE 
docker exec -it ejbca-CA /opt/keyfactor/bin/p11ng-cli.sh listobjects --lib-file /opt/keyfactor/p11proxy-client/p11proxy-client.so --slot-ref SLOT_LABEL --slot EXTRA_SLOT_1

The slot will be empty.

CODE 
Private Key Objects:  []

Public Key Objects: []

Certificate Key Objects: []

Data Objects: []

Generate an RSA key to the slot with label EXTRA_SLOT_1. Enter the PIN foo123 when prompted for each of these commands. Note: This could also be done to any of the other slots as well.

CODE 
docker exec -it ejbca-CA /opt/keyfactor/bin/p11ng-cli.sh generatekeypair --lib-file /opt/keyfactor/p11proxy-client/p11proxy-client.so --slot-ref SLOT_LABEL --slot EXTRA_SLOT_1 --alias p11ngRSA001 --key-spec RSA4096 --key-usage SIGN_ENCRYPT

List current crypto keys in the EXTRA_SLOT_1 slot using the CLI tool, notice the new key added to the crypto token.

CODE 
docker exec -it ejbca-CA /opt/keyfactor/bin/p11ng-cli.sh listobjects --lib-file /opt/keyfactor/p11proxy-client/p11proxy-client.so --slot-ref SLOT_LABEL --slot EXTRA_SLOT_1

The slot will now contain a public/private key pair when viewed. Similar results will be displayed when viewing the token.

CODE 

Private Key Objects: [5]
Object 5
   CKA_ID:       0x7031316e67525341303031 "p11ngRSA001"
   CKA_LABEL:    0x707269762d7031316e67525341303031 "priv-p11ngRSA001"

Public Key Objects: [6]
Object 6
   CKA_ID:      0x7031316e67525341303031 "p11ngRSA001"
   CKA_LABEL:   0x7075622d7031316e67525341303031 "pub-p11ngRSA001"

Certificate Objects: []

Secret Key Objects: []

Data Objects: []

? Question and Answers ?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close